HSC-MET: Heterogeneous signcryption scheme supporting multi-ciphertext equality test for Internet of Drones

Internet of Drones (IoD) is considered as a network and management architecture, which can enable unmanned aerial vehicles (UAVs) to collect data in controlled areas and conduct access control for UAVs. However, the current cloud-assisted IoD scheme cannot efficiently achieve secure communication between heterogeneous cryptosystems, and does not support multi-ciphertext equality tests. To improve the security and performance of traditional schemes, we propose a heterogeneous signcryption scheme (HSC-MET) that supports multi-ciphertext equality test. In this paper, we use a multi-ciphertext equality test technique to achieve multi-user simultaneous retrieval of multiple ciphertexts safely and efficiently. In addition, we adopt heterogeneous signcryption technology to realize secure data communication from public key infrastructure (PKI) to certificateless cryptography (CLC). At the same time, the proposed scheme based on the computation without bilinear pairing, which greatly reduces the computational cost. According to the security and performance analysis, under the random oracle model (ROM), the confidentiality, unforgeability and number security of HSC-MET are proved based on the computational Diffie-Hellman (CDH) problem.


Introduction
Unmanned aerial vehicles(UAVs) [1,2] as devices using radio remote control technology and self-provided program control mechanism, have the advantages of small size, low cost, and flexible deployment. As a result, it is widely used in film and television shooting, environmental monitoring, and smart farms. To provide coordinated and orderly access for UAVs, the Internet of Drones(IoD) [3][4][5] came into being. IoD is a sophisticated heterogeneous network containing a large number of sensors and actuators. In IoD environment, entities communicate through open wireless channels, thus facing many privacy and security issues [6]. Entities in IoD also have limited computing and storage capabilities, so it is extremely important to design an efficient and secure algorithm. Bharany et al. [7] proposed a clustering protocol for flying ad-hoc networks (FANETs) based on a moth flame optimization algorithm for safe and  [8] proposed a unique clustering algorithm EE-SS for FANETs to increase the service life of UAVs in forest fire detection, which reduced cluster head overhead and improved system efficiency. With the wide application of UAVs, the storage and processing of big data in IoD have become a top priority. Fortunately, cloud computing technology can provide users with computing services regardless of time and place. However, since cloud servers are not trusted, data is usually encrypted or signcrypted and stored in cloud servers, which makes efficient data retrieval difficult.
To ensure the security of UAVs, Bera et al. [9] proposed a blockchain-based secure access control scheme to achieve authentication between drones and between drones and a ground station server. The scheme satisfies the immutability of data. Hussain et al. [10] proposed an authentication scheme based on elliptic curve cryptography to secure the communication between a data user and a drone. Khan et al. [11] proposed an identity-based proxy signcryption scheme based on hyperelliptic curves. The scheme allows for outsourced decryption to reduce the computational cost. They proved that the scheme satisfies indistinguishability against adaptive selected scrambled text attacks and existential forgery for adaptive selected plaintext attacks under the ROM. Gope and Sikdar [12] proposed an efficient privacy-aware authenticated key agreement scheme for edge-assisted IoD. The scheme does not need to store any secret keys in the devices but still can provide the desired security features. But the IoD is a heterogeneous and complex network, so these schemes in [9][10][11][12] are inapplicable. To realize secure communication between heterogeneous cryptosystems, Sun and Li [13] proposed a heterogeneous signcryption scheme (HSC), which realized the secure communication from public key infrastructure (PKI) to identity-based cryptography (IBC). Inspired by Sun and Li, many HSC schemes have been proposed [14][15][16][17][18][19][20].
Although the schemes proposed in [14][15][16][17][18][19][20] have realized the secure communication between heterogeneous cryptosystems, it does not consider the efficient retrieval of ciphertexts. Cloud storage has brought great convenience, but this approach reduces the availability of data. Boneh et al. [21] proposed to use keyword search-based public key encryption (PKE-KS) to realize ciphertext retrieval in cloud servers, but it only supports retrieval of ciphertext encrypted with the same public key. To improve this limitation, Yang et al. [22] proposed a public key encryption scheme that supports the ciphertext equality test (PKE-ET), which allows users to compare two ciphertexts obtained by using the different public keys. Subsequently, scholars have proposed a series of similar schemes [23][24][25][26][27], but these schemes only support the equality test after dividing two ciphertexts into a group. Therefore, it faces the challenges of low retrieval efficiency and high computational cost. To reduce computational cost and improve the efficiency of ciphertext retrieval, Susilo et al. [28] proposed public-key encryption with flexible multi-ciphertext equality test (PKE-FMET). Although this scheme supports the equality test of more than two ciphertexts, there are problems such as not satisfying message authentication and communication between heterogeneous cryptosystems.

Our contributions
With the motivation of solving the above-mentioned problems, we present a heterogeneous signcryption scheme that supports the multi-ciphertext equality test (HSC-MET). The main contributions are as follows.
1. Our scheme utilizes heterogeneous signcryption technology to realize secure communication from PKI to certificateless public key cryptography (CLC), eliminating the limitation of existing schemes that only support communication in the same cryptosystem. [28] proposed public-key encryption with flexible multi-ciphertext equality test (PKE-FMET) to achieve efficient ciphertext retrieval in multi-user scenarios.

Vandermonde determinant
The matrix of the form V ¼

Formal definition
The HSC-MET scheme consists of the following algorithms.
1. Setup: Input the system security parameter λ, and the key generation center (KGC) and certificate authority (CA) output the system master key s and system parameter para. The KGC publicizes para and keeps s secretly.
2. PKI-Gen: Input the identity ID p of the PKI system user, and the CA outputs a digital certificate.
3. CLC-PGen: Input the system parameter para and identity ID c of the CLC system user, and the KGC outputs the partial private-public key pair.
4. CLC-SSV: ID c selects s 2 2 Z � q randomly and sets it as a secret value.
5. CLC-CGen: Input the system parameter para, the secret value s 2 , partial private-public key pair (SK c1 , PK c1 ), and the user outputs the complete private-public key pair (SK c , PK c ). 6. Trapdoor: Input the private key SK c , and the user outputs td c as trapdoor.
7. Signcryption: Input the system parameter para, the plaintext message m, the receiver's public key PK c , and the sender's private key SK p , and the sender calculates the ciphertext δ.
8. Unsigncryption: Input the system parameter para, ciphertext δ, receiver's private key key SK c and sender's public key PK p , and the receiver outputs the plaintext message m or error symbol ?.

Security model
In the ROM, the HSC-MET scheme needs to meet the confidentiality of the message, IND-CCA2, and the unforgeability of ciphertext, EUF-CMA. Confidentiality. We define two types of adversaries, Type-1 and Type-2. A Type-1 adversary A 1 does not know the system master key, but can replace any user's public key. A Type-2 adversary A 2 can obtain the system master key, but cannot replace any user's public key.
Definition 2. If no Type-1 adversary A 1 wins game 1 with a non-negligible advantage in PPT, the HSC-MET scheme satisfies IND-CCA2-1. Game 1. The game process between challenger C and adversary A 1 is as follows. Setup: C executes the setup algorithm, outputs the system parameter para and the master key s, returns para to A 1 , and stores s secretly.
Phase 1: A 1 can perform limited following polynomial queries.
• Partial private key query: A 1 queries for the partial private key of ID c . C executes the CLC-PGen algorithm to generate SK c1 and return it to A 1 .
• Private key query: A 1 queries for the private key of ID c . C executes the CLC-CGen algorithm to generate (SK c , PK c ) and return SK c to A 1 .
• Public key query: A 1 queries for the public key of ID c . C executes the CLC-CGen algorithm to generate (SK c , PK c ) and return PK c to A 1 .
• Replace public key query: A 1 can select any public key PK c2 � to replace the original public key PK c2 .
• Trapdoor query: A 1 queries for the trapdoor of ID c . C executes the Trapdoor algorithm to generate td c and return it to A 1 .
• Signcryption query: When receiving the query with (m i , ID pi , ID ci ) submitted by A 1 , C executes the Signcryption algorithm to generate δ i , and returns it to A 1 .
• Unsigncryption query: When receiving the query with (ID pi , ID ci , δ i ) submitted by A 1 , C executes the Unsigncryption algorithm to generate m i , and returns it to A 1 .
Challenge: A 1 selects the sender's identity ID p � , receiver's identity ID c � and two plaintexts of equal length m 0 and m 1 to C. C selects randomly ξ 2 {0, 1} and performs the signcryption algorithm to generate ciphertext δ � and return it to A 1 .

Phase 2:
After receiving δ � , the adversary A 1 continues to execute the queries in Phase 1. However, A 1 can neither query the private key of ID c � , nor can A 1 make unsigncryption query of ðd � ; ID p � ; ID c � Þ. A 1 also can't query the trapdoor of ID c � .
Definition 3. If no Type-2 adversary A 2 wins game 2 with a non-negligible advantage in PPT, the HSC-MET scheme satisfies IND-CCA2-2 security. Game 2. The game process between challenger C and adversary A 2 is as follows. Setup: C executes the setup algorithm, outputs the system parameter para and the master key s, and returns them to A 2 .
Phase 1: A 2 can perform all the queries in Definition 2 except the replace public key query. The challenge, phase 2, and guess stage are the same as Definition 2 and will not be repeated here. We define the advantage of A 2 as Adv INDÀ CCA2À 2 Unforgeability. Definition 4. If no adversary F wins Game 3 with a non-negligible advantage ε in PPT, it is said that the HSC-MET scheme can satisfy EUF-CMA security.
Game 3. The game between challenger C and adversary F is as follows.
Training: F can perform limited following polynomial queries.
• Key query: F queries for the public key of ID p , and C executes the PKI-Gen algorithm to generate (SK p , PK p ) and return to F .
• Signcryption query: When receiving the query with (m i , ID pi , ID ci ) submitted by F , C executes the signcryption algorithm to generate δ i , and returns it to F .
• Unsigncryption query: When receiving the query with (ID pi , ID ci , δ i ) submitted by F , C executes the unsigncryption algorithm to obtain m i , and returns it to F . Forgery: F selects the sender's identity ID p � and the receiver's identity ID c � , and forges a ciphertext δ � . If δ � can meet the following requirements, F can win the Game 3.
The error symbol ? will not be returned when the unsigncryption query is performed on The adversary F can not query for the private key SK p � of the ID p � .
δ � cannot be generated by the signcryption query of ðm � ; ID p � ; ID c � Þ.
We define the advantage of F to win in this game as Adv EUFÀ CMA F ðlÞ ¼ Pro½F wins�.

Scheme design
1. Research questions and methodologies: Table 2 displays the main research problems and relevant solutions of this paper, which are based on the previous relevant work subsection's collections and analyses of references.

Scheme processes:
• Setup: The KGC and CA initialize the system and generate the system parameters.
• User-Gen: The CA generates digital certificates for UAVs in PKI. The KGC generates partial keys for data users in CLC.
• Signcrypt and upload: UAVs signcrypt the collected data and upload it to the cloud server.
• Test: The cloud server performs the equality test for multi-ciphertexts.
• Download and unsigncrypt: Data users download and unsigncrypt data from the cloud server.
3. System model: The system model of our scheme is composed of five entities: KGC, CA, UAVs, cloud server and data users. The functions of each entity are as follows. The system model diagram is shown in Fig 1. • KGC. The KGC initializes the system, generates the key and system parameter, and distributes partial keys to data users.
• CA. The CA issues digital certificates for UAVs.
• UAVs. UAVs collect and signcrypt the collected environmental data, and upload it to the cloud server.
• Cloud server. The cloud server stores the uploaded ciphertext, and processes the data user's request to execute the test algorithm, and returns the test result to the users.
• Data users. Users who wish to obtain environmental data, such as monitoring personnel and data processing centers, are responsible for submitting the trapdoor of the ciphertext equality test to the cloud server and verifying the ciphertext that meets the requirements.

PLOS ONE
Heterogeneous signcryption scheme supporting multi-ciphertext equality test for Internet of Drones Our construction 1. Setup: Given the system security parameter λ. KGC selects a large prime number q(q � 2 λ ) and an additive cyclic group G with order q and generator P. Four hash functions, KGC randomly selects s 2 Z � q as the system master key SK and calculates the public key PK = sP. It also selects the maximum number of ciphertexts that can perform the multi-ciphertext equality test, n. KGC sets and exposes para = {λ, G, q, P, PK, H 1 , H 2 , H 3 , H 4 , n}.
2. PKI-Gen: ID p selects s p 2 Z � q randomly, and calculates PK p = s p P. The user sends (ID p , PK p ) to CA which generates a digital certificate for it.
4. CLC-SSV: ID c randomly selects s 2 2 Z � q as a secret value.
a. Calculate f 0,n = H 1 (m||n) and f i, where k is the number of ciphertexts that can be tested for equality. c. Select r; X 2 Z � q randomly. Calculate Y = SK p (PKH 1 (ID) + PK c1 ) and R = rPK c2 .
If the equations are all true, return m 0 . Otherwise, return ?.
b. Assume that the plaintexts corresponding to t ciphertexts δ i are equal. By calculating f i j;k , we can get the non-homogeneous linear equation set

Theorem 1.The unsigncryption algorithm is correct.
Proof. The correctness of the unsigncryption algorithm can be verified by the following two equations.
Through the above verification, theorem 1 is established. Theorem 2.The Test algorithm is correct.

Proof. The correctness of the Test algorithm can be verified by the following equations. Given t ciphertexts δ
Assume that the plaintexts of t ciphertexts δ i are m 1 , m 2 , � � �, m t respectively.
1. When the plaintexts corresponding to the tested t ciphertexts are equal, the correctness of the Test algorithm is proved as follows.
We can get the equation set Eq (6).
If f 1 0;k ; f 1 1;k ; � � � f 1 kÀ 1;k is regarded as the solution of the equation set, and X i is regarded as a coefficient. The equation set corresponds to the Vandermonde matrix Eq (7). 2. When the plaintexts corresponding to the tested t ciphertexts are not equal, the correctness of the Test algorithm is proved as follows. 3, � � �, t} and j 2 {0, 2, � � �, t − 1}. We can obtain the equation set Eq (8).

Confidentiality
Theorem 3. If an adversary A 1 can win the Game 1 in PPT with a non-negligible advantage ε 1 after q h i ði ¼ 1; 2; 3; 4Þ H i queries, q d partial private key queries, q sc signcryption queries and q usc unsigncryption queries, the challenger C can solve the CDH problem with the nonnegligible advantage ε 0 1 as show in Eq (11).
Proof: C is a challenger to solve the CDH problem. A 1 is a Type-1 adversary. Given a challenge example (P, aP, bP) where a; b 2 Z � q . C and A 1 interact as follows. Setup: C executes the setup algorithm to output the system parameter para = {λ, G, q, P, PK, H 1 , H 2 , H 3 , H 4 , n}.
Phase 1: C needs to maintain initially empty lists L hi , i = 1, 2, 3, 4, L d , L sk , L pk and L td to record the query results of A 1 .
• H 1 query: When receiving the query with ID i submitted by A 1 , C searches for whether there is (ID i , h 1 ) in L h1 . When it exists, C returns h 1 to A 1 . Otherwise, C slelects h 1 2 Z � q randomly and returns to A 1 . C inserts (ID i , h i ) into L h1 finally.
• H 2 query: When receiving the query with R i submitted by A 1 , C searches for whether there is (R i , h 2 ) in L h2 . When it exists, C returns h 2 to A 1 . Otherwise, C randomly selects h 2 = {0, 1} 2l and returns to A 1 . And C inserts (R i , h 2 ) into L h2 .
• H 3 query: When receiving the query with (r i , PK ic2 ) submitted by A 1 , C searches for whether there is (r i , PK ic2 , h 3 ) in L h3 . When it exists, C returns h 3 to A 1 . Otherwise, C randomly selects h 3 = {0, 1} nl and returns to A I . And C inserts (r i , PK ic2 , h 3 ) into L h3 .
• H 4 query: When receiving the query with (C 1,i , C 2,i , C 3,i , f i,k , r i , PK ic2 , k i ) submitted by A 1 , C searches for whether there is the corresponding h 4 in L h4 . When it exists, C returns h 4 to A 1 . Otherwise, C selects h 4 = {0, 1} l randomly and returns to A 1 . Then C inserts (C 1,i , C 2,i , C 3,i , f i, k , r i , PK ic2 , k i , h 4 ) into L h4 . • Partial private key query: When receiving the query with ID ci from A 1 , if (ID ci , SK ic1 ) exists, C returns it to A 1 . Otherwise, C executes CLC-PGen algorithm to generate SK ic1 and return to A 1 . C inserts (ID ci , SK ic1 ) into L d .
• Private key query: When receiving the query with ID ci from A 1 , if (ID ci , SK ci ) exists, C returns it to A 1 . Otherwise, C executes CLC-CGen algorithm to generate SK ci and return to A 1 . C inserts (ID ci , SK ci ) into L sk .
• Public key query: When receiving the query with ID ci from A 1 , if (ID ci , PK ci ) exists, C returns it to A 1 . Otherwise, C executes CLC-PGen algorithm to generate PK ci and return to A 1 . C inserts (ID ci , PK ci ) into L pk .
• Replace public key query: A 1 can select any public key PK c2 � to replace the user's original public key PK c2 .
• Trapdoor query: When receiving the query with ID ci from A 1 , if (ID ci , td ci ) exists, C returns it to A 1 . Otherwise, C executes Trapdoor algorithm to generate td ci and return to A 1 , and inserts (ID ci , td ci ) into L td .
• Signcryption query: When receiving the query with (m i , ID pi , ID ci ) submitted by A 1 , C executes the Signcryption algorithm to obtain the ciphertext δ i , and returns it to A 1 .
• Unsigncryption query: When receiving the query with (ID pi , ID ci , δ i ) submitted by A 1 , C executes the Unsigncryption algorithm to obtain the plaintext m i , and returns it to A 1 .
Challenge: A 1 submits the sender's identity ID p � , receiver's identity ID c � , and two plaintexts m 0 and m 1 of the same length to C. A 1 has never asked for the private key for ID c � . C randomly selects a 2 Z � q as the secret value of ID c � and calculates PK � c2 ¼ aP. Then C randomly selects ξ 2 {0, 1} and performs the following calculations.
• Calculate f 0,n = H 1 (m ξ ||n) and f i, kÞ to A 1 . Phase 2: A 1 continues to perform the queries after receiving δ � , but A 1 cannot query the private key of the ID ci , nor can it perform unsigncryption query on δ � .
Guess: A 1 outputs the guess value ξ � . If ξ � = ξ, A 1 wins the game. C will select (R i , H 2 (R i )) from the list L h2 and take R i = abP as the solution of the CDH problem. However, there is currently no effective way to solve the CDH problem. Theorem 3 is proved.
Theorem 4. If an adversary A 2 can win the Game 2 in PPT with a non-negligible advantage ε 2 after q h i ði ¼ 1; 2; 3; 4Þ H i queries, q d partial private key queries, q sc signcryption queries and q usc unsigncryption queries, the challenger C can solve the CDH problem with the advantage ε 0 2 as show in Eq (12).
The proof process is similar to Theorem 3 and will not be repeated here.

Unforgeability
Theorem 5. If an adversary F can win the Game 3 in PPT with a non-negligible advantage ε 3 after q h i ði ¼ 1; 2; 3; 4Þ H i queries, q pk public key queries and q sc signcryption queries, the challenger C can solve the CDH problem with the advantage ε 0 3 as show in Eq (13).
Proof: C is a challenger to solve the difficult problems of CDH. F is an adversary. C selects ID � p as the challenge identity. Given a challenge example (P, aP, bP) where a; b 2 Z � q . C and F interact as follows.
Training: The same queries as Theorem 3 will not be repeated here. The different queries are described below.
• Key query: When receiving the query with ID pi submitted by F , C executes the PKI-Gen algorithm to generate (SK p , PK p ) and return to F if ID pi 6 ¼ ID � p . Otherwise, C randomly selects b 2 Z � q and calculates PK p = bP. Then C renturns PK p to F .
• Signcryption query: When receiving the query with (ID pi , ID ci , m i ) submitted by F , C executes the signcryption algorithm to generate d � i and return to F if ID pi 6 ¼ ID � p . Otherwise, C performs the following operations.
• Calculate f 0,n = H 1 (m i ||n) and f i, If the forgery is successful, C can select ðY 0 ; H 2 ðY 0 ÞÞ from the list L h2 and take abP ¼ Y 0 À R 0 H 1 ðID ci Þ as the solution of the CDH problem. However, there is currently no effective way to solve the problem. Theorem 5 is proved.

Number security
In this section, we proved the number security of our scheme based on the definition of number security in reference [28]. Theorem 6. If there is an adversary A, after q h i ði ¼ 1; 2; 3; 4Þ H i queries, q td trapdoor queries, q sc signcryption queries and q usc unsigncryption queries, can determine whether the underlying plaintext corresponding to t < K ciphertext δ i = (C i,1 , C i,2 , C i,3 , C i,4 , k i ) is equal in PPT with a non-negligible advantage ε 4 , where k = max{k 1 , k 2 , � � �, k t }. C can solve the problem of CDH with the advantage ε 4 0 as show in Eq (14).
Proof: There are the following two ways to determine for A.

1.
A can determine by obtaining and comparing the plaintexts m 1 , m 2 , � � �, m t . In subsection Confidentiality, we have proved the confidentiality of our scheme. So this way is not feasible for A. and k i < k 0 < n. For this way, we do the following analysis.
For t ciphertexts δ 1 , δ 2 , � � �, δ t , A is allowed to perform public key queries and trapdoor queries. So it can calculate X i jjf k i ðX i Þjj � � � jjf n ðX i Þ ¼ C i;3 � H 3 ðtd ci C i;1 Þ and f i j A can get the equation set Eq (15).
Since X 1 , X 2 , � � �, X t are randomly selected by users, the probability of non-linear correlation of t equations is p ¼ ;k is regarded as an independent variable, and X i is regarded as a coefficient of the equations, the equation set consisting of t equations with k independent variables can be obtained. Because of k > t, there is no solution to make the equation set true. So this way is not feasible for A.

Performance analysis
Our scheme is compared with the schemes in references [25,27,28] in terms of performance. Reference [28] uses the traditional public key encryption scheme. We use a PC equipped with Intel Core i7-7500u CPU@3.5GHz, 8G memory, and Windows 10 for simulation. The representative symbols and their meaning and computational time are shown in Table 4. The computational cost of each comparison scheme is shown in Table 5. With the increase of plaintexts/ciphertexts, the computational costs of our scheme and the comparison schemes in In the signcryption/encryption phase, it can be seen from Table 5 and Fig 2 that compared with the schemes in [25] and [27], our scheme does not have bilinear pairing operations, which greatly reduces the computational cost. Although compared with the scheme in [28], the computational cost of our scheme is higher, our scheme not only achieves confidentiality, but also satisfies non-repudiation. And our scheme supports communication between heterogeneous cryptosystem. In the unsigcryption/decryption and test phases, Figs 3 and 4 clearly show that our scheme has lower computational costs than the schemes in [25,27,28]. When the number of ciphertexts reaches 20, the computational efficiency in unsigcryption/decryption phase of our scheme is approximately 2000 times, 1500 times and 30 times that of the three comparison schemes. And as the number of ciphertexts increases, the advantages of our scheme become more obvious in the test phase.

Conclusion
We proposed the HSC-MET scheme to overcome the problems in the existing schemes, such as not supporting the communication between heterogeneous cryptosystems, high computational overhead, and low efficiency of ciphertext retrieval. Our scheme uses HSC technology to realize secure communication from PKI to CLC. The scheme has no bilinear pairing operation, which greatly reduces the computational cost and improves communication efficiency. In addition, the multi-ciphertext equality test technology is introduced to realize the simultaneous retrieval of multiple ciphertexts by multiple users, which reduces the computational cost of the ciphertext equality test in the multi-user scenario. Under the ROM, we proved the confidentiality, unforgeability, and number security of the HSC-MET scheme based on the CDH problem. Finally, we compared the scheme with several similar schemes. The results show that our scheme not only has more functional features and higher security but also has lower computational costs in signcryption, unsigncryption, and test phases. However, our scheme's security is proved under the random oracle model, which is not universal in reality more or less. In the future, we will further investigate the security under the standard model to make the HSC-MET scheme more practical.